Enabling Services, Personas, and PassiveID on Identity Services Engine

Services and personas define each ISE node’s roles and functions, allowing for scalable and efficient deployment across the network. PassiveID enhances visibility and control by passively collecting identity information from existing network authentication events, enabling ISE to enforce security policies even when traditional authentication methods are not feasible. Together, these features ensure that ISE can effectively manage and secure network access, providing a comprehensive and adaptable security solution.

We will walk through enabling services on our ISE node and configure PassiveID.  The Passive Identity Service enables ISE to monitor users authenticated by a domain controller, not by dot1x directly. This feature will be useful for the EasyConnect configuration, which will be explained in future posts. It can gather this information by connecting to Active Directory using the Microsoft WMI interface and querying logs from the Windows event messaging.

In ISE, navigate to  Administration>System>Deployment.

Click on the hostname of the ISE node that you would like to edit.

This will bring up the Edit Node page.

Check the following boxes on this page:

• Enable SXP Service—This service allows endpoints to communicate Security Group Tagging to IP Address binding. In future posts, this will be used with TrustSec.
• Enable Device Admin Service—This is for if you are using your ISE node for TACACS+ so you can use ISE to administer your network access devices. We will address the configuration in future posts.
• Enable Threat Centric NAC Service – Threat Centric Network Access Control (TC-NAC) feature enables you to create authorization policies based on the threat and vulnerability attributes received from the threat and vulnerability adapters.
• Enable Passive Identity Service – This will enable the IP-to-Username mapping using WMI or other sources.

Enable the slider for the following persona:

• Pxgrid – This enables the pxGrid service for this node.

Navigate to Work Centers>PassiveID>Providers>Active Directory

Click on the name of your Active Directory join point.

If you have not joined your ISE deployment to an Active Directory deployment, follow the directions in this post.

Click on the PassiveID tab.

Click on Add DCs to add a domain controller for PassiveID.

Check the box next to the domain controllers you want to add and click OK.

You will receive the warning: “Edit newly added Domain controllers to ensure they have user and password credentials. DCs added with empty password will be marked as Down.”

This is normal. Click Ok.

Check the box next to the domain controller that has been added and click Edit.

In the Edit Item window, add the domain administrator username and password.

Under the protocol, keep it under the default WMI.

Click the Configure button to automate configuring all the required settings on the domain controller. Read this post for more information on what is being configured.

After the configuration is complete, click the Test button to ensure the configuration works.

Click Save when done.

If the test does not work between ISE and the domain controller, check the following to troubleshoot:

• The AD credentials used to configure
• The permissions for the AD account used
• Network connectivity between ISE and the domain controller
• ISE is using a DNS server that has the domain controller FQDN on it

Click Save on the PassiveID Domain Controllers page when completed.

To ensure your PassiveID works, navigate to Operations>RADIUS>Live Logs.

When you use RDP to connect to a computer, the native Windows supplicant does not attempt to connect to the network with 802.1x using those credentials. This is how we can test if PassiveID is working. If we can RDP to another computer in the domain that is not engaging in 802.1x and that log in is reflected in a record in the Live Logs, ISE is getting the logon events through PassiveID.